Blog Series: Charting Your Path to Cyber Resiliency

Cyber resiliency is an organization’s ability to build and manage technology systems that limit the impact of cyberattacks. It helps organizations maintain operations, securely and effectively, when cyberattacks occur. As Microsoft notes, “An organization can never have perfect security, but it can become resilient to security attacks.”

In Part 1 of this series, we looked at how the concept of cyber resiliency originated, introduced 2 foundational cyber resiliency frameworks and wrapped up with a quick look at some Microsoft cyber resiliency resources from our 2022 Digital Defense Report. In Part 2, we’ll dive deeper into Microsoft’s approach to cyber resiliency, starting back in 2002 with the famous Trustworthy Computing memo from Bill Gates himself.

TrustWorthy Computing

In 2002, Microsoft founder and CEO Bill Gates emailed a memo to all Microsoft employees, outlining the need for a new approach to how the company provided security and resiliency to our customers, and calling for changes to Microsoft products and culture. Gates referenced September 11 and several serious malware incidents in 2001 that had caused significant business disruptions, emphasizing "how important it is to ensure the integrity and security of our critical infrastructure, whether it’s the airlines or computer systems." Gates also foresaw how increasingly connected and dependent on the Internet the world would become in the future – a concept that played a key role in the development of cyber resilience frameworks.

The Trustworthy Computing initiative was not created specifically to address cyber resiliency, but like cyber resiliency it was holistic in its treatment of security, covering diverse areas such as software development and customer support, as well as Microsoft’s internal operational and business practices. A 2014 article by Forbes praised Microsoft for the impact of Trustworthy Computing on Security, not just for Microsoft products, but for the entire IT industry, noting "We’ve come a long way from the 'Wild West” era of malware—thanks in large part to the ongoing efforts of Microsoft Trustworthy Computing."

Zero Trust

Microsoft didn't invent Zero Trust but has been an industry leader in actively promoting and developing Zero Trust strategies for many years, as well as using Zero Trust to secure our own environments. For example, Microsoft has collaborated with NIST (the National Institute of Standards and Technology) and other vendors to develop a practice guide to help organizations design and build Zero Trust architectures.

Zero Trust and cyber resiliency are not the same, but there are many similarities between them, starting with the idea that we must Assume Breach, given the speed, scale and sophistication of threat actors and the challenges every Security team faces. In addition:

• Both stress the importance of identifying the most critical business resources and prioritizing the protection of those resources
• Both are concerned with limiting the blast radius of an attack and reducing the attacker’s ability to move laterally
• Both are designed to protect hybrid environments across multiple pillars that include both legacy and modern technologies
• Both emphasize the need for the organization to continually adapt protections to keep up with threat actors

Secure Future Initiative

There are many similarities between the TrustWorthy Computing initiative and Microsoft’s current Secure Future Initiative (SFI). Again, it began with an internal memo to employees, this time by Microsoft Security EVP Charlie Bell, in November 2023. Like TrustWorthy Computing, SFI illustrates Microsoft’s leadership in addressing current cybersecurity challenges that now include AI advancements, increasingly sophisticated ransomware-as-a-service organizations, and nation-state activity targeting critical infrastructure. Like TrustWorthy Computing, SFI is holistic in nature. As Vice Chair and President Brad Smith emphasized in his own intro to SFI "This new initiative will bring together every part of Microsoft to advance cybersecurity protection." 

The Secure Future Initiative is also rooted in Microsoft’s experiences as a company dedicated to continually improving our own cyber resilience. In a May 2024 report on SFI progress, Microsoft CEO Satya Nadella noted that cyberattacks, such as the 2023 Storm-0558 attack that targeted Microsoft, 'underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors." Finally, like TrustWorthy Computing, SFI is clear that security – both for Microsoft and for our customers – is the company’s number one priority. Satya concluded his message with a familiar call to action for Microsoft employees: "If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security."

Microsoft's Key Issues Impacting Cyber Resiliency

Part 1 of this series introduced Microsoft’s key issues impacting cyber resiliency. These are issues that we in MIRCAT (the Microsoft Incident Response Critical Action Team) routinely address in our incident response/compromise recovery work with clients:

• Insecure configuration of identity provider
• Insufficient privilege access and lateral movement controls
• No Multi-Factor Authentication
• Low maturity security operations
• Lack of information protection control
• Limited adoption of modern security frameworks

Each of these issues is further broken down into distinct components. For example, the issue Insufficient privilege access and lateral movement controls has 5 components:

• No privilege isolation in Active Directory via tier model
• No use of Privilege Access Workstations
• Lack of local admin password management controls
• Lack of Privilege Access Management controls
• Excessive admin credentials found

Trying to address all cyber resilience issues can be overwhelming for clients, which is why we emphasize taking a phased approach to each issue and component. For example, Lack of Privilege Access Management controls in Entra can be addressed by Microsoft Privileged Identity Management (PIM). When helping a client implement PIM, we employ a phased approach that might look something like this:

Phase 1: Implement PIM to protect privileged roles in Entra, starting with Global Administrators and guest accounts. Gradually onboard additional Entra Admin roles.

Phase 2: Implement PIM to protect select highly privileged roles in the most business-critical Azure subscriptions. Gradually onboard additional subscriptions.

Phase 3: Extend PIM management to more complex use cases involving time-bound privileged group membership, authentication context and approval workflows.

When implementing a security technology to help your organization increase cyber resiliency, your goal should be to implement it fully with no exceptions. Unfortunately, in incident response and compromise recovery engagements we often see gaps that limit our clients’ resilience to cyberattacks. For example, we regularly work with clients who tell us that they’ve implemented PIM, only to find that many privileged roles have been permanently assigned outside of PIM. In other cases, we see PIM used only for Entra roles while no privileged access controls are applied to Azure subscriptions running business-critical workloads.

At the same time, when business reasons dictate that a cyber resilience control cannot be fully implemented, organizations should not adopt an all-or-nothing approach. For example, financial constraints prohibit some clients from providing privileged access workstations to all administrators or FIDO 2 compatible security keys to all users. In those cases, organizations are encouraged to start by providing those additional protections to Tier 0 administrators at a minimum, followed by Tier 1 administrators of business-critical workloads.

Conclusion

In Part 2 of our series, we explored how Microsoft has been an industry leader in cyber resiliency over the years, beginning with the days of TrustWorthy Computing more than 20 years ago. We also delved deeper into Microsoft’s current guidance on the key issues that we see limiting our customers’ cyber resilience.

The journey to cyber resilience is a challenging and time-consuming one with a lot of Big Rocks that clients commonly struggle with:

• Vulnerability management
• Policy management
• Securing privileged access
• Adapting to the continuously changing cyber threat landscape
• Maturing the SecOps capability

Fortunately, it’s a journey that organizations don’t have to make alone, and increasingly it’s a journey that AI can help with. And that’s what we’ll examine in the final part of this series.